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Abstract. Communication Based Train Control (CBTC) system is the state-of- 
the-art train control system. In a CBTC system, to guarantee the safety of train 
operation, trains communicate with each other intensively and adjust their con- 
trol modes autonomously by computing critical control parameters, e.g. velocity 
range, according to the information they get. As the correctness of the control 
parameters generated are critical to the safety of the system, a method to verify 
these parameters is a strong desire in the area of train control system. 
In this paper, we use our experience learned during verifying a CBTC system to 
present our ideas of how to model and verify the control parameter calculations 
in a CBTC system efficiently. 

- As the behavior of the system is highly nondeterministic, it is difficult to 
build and verify the complete behavior space model of the system offline in 
advance. Thus, we propose to model the system according to the ongoing 
behavior model induced by the control parameters. 

- As the parameters are generated online and updated very quickly, say every 
500 milliseconds in the case we met, the verification result will be meaning- 
less if it is given beyond the time bound, since by that time the model will 
be changed already. Thus, we propose a method to verify the existence of 
certain dangerous scenarios in the model online quickly. 

To demonstrate the feasibility of these proposed approaches, we present the com- 
posed linear hybrid automata with readable shared variables as a modeling lan- 
guage to model the control parameters calculation and give a path-oriented reach- 
ability analysis technique for the scenario-based verification of this model. We 
demonstrate the model built for the CBTC system, and show the performance of 
our technique in fast online verification. Last but not least, as CBTC system is a 
typical CPS system, we also give a short discussion of the potential directions for 
CPS verification in this paper. 



1 Introduction 

Nowadays, as communication has been embedded deeply into our daily life, compu- 
tation has evolved from locating in one single standalone device to the collaboration 
of networks of equipments. In such a manner, more and more systems work in open 
environments, receive signals and stimuli from sensors, actuators and networks, then 
calculate their control modes and parameters accordingly. The newly generated control 



modes and parameters will control the behavior of the system itself and the behavior 
of other components in the network as well dynamically. These systems have a tight 
integration of information systems and physical devices, which are named as Cyber- 
Physical Systems (CPS)lfl3l. 

By combining communication, computation and control (3C), in a CPS system 
physical devices can have more knowledge of the environment they are working in 
and the real-time status of the other elements which they are collaborating with. Thus, 
devices can autonomously generate more accurate instructions and gain advantages like 
safety, reliability and efficiency. 

Public transportation is a typical area where CPS systems are emerging and play- 
ing more and more important roles. CBTC is the state-of-the-art technique in the train 
control area and fundamental for the building and controlling of high speed railway sys- 
tems. During trains running on railways, the radio block center (RBC) will collect the 
position of each train periodically and compute the movement authority (MA), which 
is the distance that the train is authorized to go, for each train. Then the onboard train 
controller will compute the feasible velocity range by taking account of the movement 
authority and the current running parameters of the train, e.g., current position, velocity 
and etc. These are typical procedures of a CBTC system, which is clearly a Cyber- 
Physical System. One of the most important questions concern the design engineers of 
CBTC system is whether the parameters generated by the control functions used in the 
system are correct, e.g. trains will not collide with each other during operation. 

In general, if we can build a model for the control parameter calculations and verify 
it, we can answer the correctness of parameters. Currently, most of the verification 
works consist of the following two steps: First, build the complete static formal model 
of the system. Second, verify the correctness of the model under the given property 
offline using techniques like model checking[8|. For CBTC systems, as the input of 
the control functions, e.g. current velocity, position, movement authority and etc., are 
generated and collected online, it is hard to predict the complete behavior space of the 
system under verification. Thus, it is difficult to build and verify a complete static model 
of the system's behavior offline in advance. To overcome this problem, we discuss our 
opinions about the verification of control parameter calculations in CBTC as follows: 

- Modeling 

• As discussed above, it is hard to build and verify the complete behavior space 
model of the control functions offline in advance. We propose that the model 
should focus on the ongoing static behavior of the system in the short future 
driven by the current control parameter. 

• For modeling the ongoing behavior of the running CBTC systems, as the sys- 
tem is composed by large number of components, e.g., one control system for 
each train running on track, the model should be a composed system naturally. 

• Data are transmitted along with communication between components. Thus, 
the modeling language needs to support the representation of the synchroniza- 
tion among components and the data transmission along with it. 

- Verification 

• The verification problem will not try to prove whether the control functions are 
correct or not. The verification procedure will focus on giving answers of the 
correctness of current parameters. 



• As models are generated online, the verification procedure needs to be carried 
out online. As the model for the system will be updated quickly, it is necessary 
to give the verification result before the model is changed, which means the 
verification has to be time bounded and fast. 

• A set of parameters can basically induce a series of operation modes in the short 
future, which can consist several scenarios of the operation of the system. What 
need to be verified is the existence of certain scenarios in the behavior of the 
model, which is represented as the reachability of certain paths in the model. 

Therefore, from both the point of views of modeling and verification, in this paper 
we propose a new method to prove the correctness of the parameter calculations on- 
line during the CBTC system is in operation, which can result in an additional device 
deployed on-site, monitoring and guaranteeing the correctness of parameters online. 

Based on this scheme, we present a formal model named as Hybrid Automata with 
Readable Shared Variable to model the control parameter calculations of the CBTC 
system, and a path-oriented reachability verification technique to verify the reachability 
property along with a path set in the model to achieve the goal of fast online verifica- 
tion. To demonstrate the feasibility of this scheme, the model for the control parameter 
calculations of the CBTC system is given in the paper, and several case studies are con- 
ducted on the model to illustrate the performance of the fast online verification. 

Structure of The Paper. This paper is organized as follows. In the next section, we 
give a brief description of the running example of our study: Communication based 
train control system and summarize the requirements of verifying the control parameter 
calculations in a CBTC system. In Sec. 3, we present our modeling language for the 
CBTC system: Composed Hybrid System with Readable Shared Variables, give the 
model we built for the CBTC system and show how to verify the existence of given 
critical scenarios on the system by the path-oriented reachability analysis method. Sec.4 
verifies the existence of the dangerous scenarios in the model we built for the CBTC 
system and demonstrates the process ability of the path-oriented reachability method 
in online verification of CBTC systems. Sec. 5 summarizes the related works on the 
verification of train control systems and proposes several potential directions in the 
verification of CPS systems based on our experience in verifying the CBTC system. 
Finally, the conclusion is stated in Sec. 6. 

2 Motivating Example: CBTC System 
2.1 Communication Based Train Control System 

A train control system is the heart for the safe and efficient operation of train systems. 
There are many organizations and projects devoted to the research and development of 
the train control system with high dependability. Many standards are proposed to give 
detail and comprehensive rule sets and guidances for the operation of railway systems 
for inter- vehicle and vehicle to infrastructure cooperation, like European Train Control 
System(ETCS)15j, and Chinese Train Control System (CTCS)|6). According to differ- 
ent infrastructure utilities, data transmission methods and train control methodologies, 
ETCS/CTCS is divided up into several different equipmental and functional levels. 



Communication based train control system (CBTC), on the high level of ETCS/CTCS, 
is believed to be the most advanced signaling technique and the fundamental method 
underlying the latest high speed railway systems. It uses data communication between 
trains and various control facilities to guarantee the safety and efficiency of train op- 
eration. It can be abstractly divided into two main parts: ground systems and onboard 
systems. Ground systems can track the runtime status of all the trains periodically. The 
radio block center (RBC) will send the needed information, e.g., movement authority, 
to the onboard systems on the train. Then the onboard systems will compute the ve- 
locity curve autonomously by taking account of the movement authority they received 
and the current operation status of the train. Ideally, the movement authority basically 
indicates a End-of- Authority (EOA) point ! 151 16 :1 which is with rear safe distance to the 
end of the train ahead. During the train operation, it also needs to guarantee that there 
is enough space for the train to completely stop by emergency braking before touching 
the EOA point, which is named as "Safe braking distance"(SBD). A simple illustration 
of the communication and movement authority granting is shown in Fig.Q] 
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Fig. 1. Sample Scenario of A Running CBTC system 



Our running example is a typical CBTC system which is supposed to be used in a 
Urban Railway System in China. As the system is still under designing and debugging, 
our team join into the project to help verifying the correctness of the design of the ATP 
module of the CBTC system. One of the most interested question which bothers the 
engineers from the area of railway system is how to guarantee the absence of certain 
dangerous scenarios, e.g., train collision. We will use some of these scenarios to show 
the motivation of this paper, and introduce our thoughts about the verification of control 
parameter calculations in CBTC system. 

In the design, all the trains need to communicate with RBC in 500 milliseconds 
period. RBC will grant the movement authority to each train by telling them the position 
of the EOA points. After that, the onboard computer will start to calculate the legal 
operation speed by taking account of the current speed of train, the limitation of the 
train and the track and so on. The train is free to move under the generated operating 
speed before reaching the safe braking distance point (SBD) which is with safe braking 
distance away from the EOA point. Once a SBD point is reached, the train will brake 
immediately to try to stop completely before move beyond the EOA point. When the 
train has not receive any signal from RBC for 5 seconds, the automatic train protection 



(ATP) module of the CBTC system will take over the control of the train operation and 
ask the train to brake urgently as well. What the designers are worried about is whether 
the train can stop safely under the control parameters without beyond the movement 
authority and collide with the train ahead under certain scenarios. 

2.2 Requirements For Verifying Control Parameter Calculations In The CBTC 
System 

For verifying the control parameter calculations in the CBTC system, we need to build 
the formal model for the system and summarize the characteristics of the CBTC system 
at first: 

- Modeling 

• Static Model For Time-Bounded Behavior. As the behavior of the CBTC sys- 
tem is highly nondeterministic, e.g., the input of the control functions including 
lots of runtime dynamic parameters, it is difficult to predict the complete be- 
havior of the system or even verify it. Thus, the modeling and verification effort 
should focus on the ongoing behavior after synchronization or receiving signals 
which is the deterministic part of the entire nondeterministic behavior space. 

• Compositional Verification. The running CBTC system has all the operating 
trains on track and RBCs included. These components communicate with each 
other intensively, which is a concurrent system naturally. For each component, 
due to the dynamical behavior of system, it should be a hybrid automata. Thus, 
the model for the system should be a composed hybrid system. 

• Shared Label and Variable. The modeling language has to support the repre- 
sentation of the synchronization between components. Data are also transmit- 
ted during the synchronization. This is natural, because a component running 
in a system can not read the other components' running parameters at anytime. 
We propose to use shared labels to represent the synchronization among com- 
ponent automata, and communication with other components are represented 
as shared variables in transition guards and reset actions on shared labels. 

- Verification 

• Online and Fast Verification. As the environment of the CBTC working in is 
changing quickly, 500 ms in the running example, if we cannot give answer to 
the verification questions in 500 ms, the result will be meaningless. Thus, once 
a set of control parameters is calculated, the verification module needs to give 
a quick answer of whether this set of parameters will violate certain properties, 
e.g., safety. Therefore, The verification should be online and fast. 

• Control Parameters Driven Verification. As the verification procedure needs 
to be online and fast, it will not try to determine the correctness of the com- 
plex control functions beneath the system, but only give a quick answer to the 
correctness of the parameters generated. 

• Time-Bounded and Scenario-Based Verification. According to the require- 
ments of designers of the certain CBTC system, the verification problem they 
concern most is checking whether certain bad scenarios will happen in the con- 
trol modes induced by the current parameters. The scenario will be translated 



as a sequence of control modes in the model, which constitutes a path. Thus, 
what needs to be verified is the reachability of certain property along with the 
path/scenario. 

In summary, we think the modeling language for the control parameter calculations 
in CBTC system is composed hybrid automata with support of shared labels and shared 
variable reading. The model of the system should be a small static model induced by 
generated control parameters. The verification procedure should be scenario based path- 
oriented compositional reachability analysis. 

3 Verifying The Control Parameter Calculations in CTBC systems 
3.1 Modeling of The CBTC System 

For a CBTC system in a train, the set of control parameters includes the current velocity 
range, the target velocity range, the location of the end of movement authority (EOA) 
point, the location of the safe braking distance (SBD) point, the position of the train 
itself and so on. Thus, this set of parameters shows a clear dynamic behavior of the 
train along with time, which can be modeled as a hybrid automaton (HA) naturally. 

Now, let's raise the field of our view from a single train to a series of trains running 
in a track. We will see that trains will communicate with RBCs and other trains during 
operation periodically. Data, e.g., the location of the train ahead, are transmitted to each 
train along with the communication. Thus, the model for the complete system should be 
a composed hybrid automata. Furthermore, in the composed system, component HAs 
synchronize with each other using shared labels, and a component can only read the 
value of the variable of other components on shared labels. 

Based on the above discussion, we give the definition of the class of HA we pro- 
posed for CBTC systems as following: 

Definition 1. A hybrid automaton with readable outer variables (HA RV ) is a tuple H = 
(X 1 , X s , X 1 , X s , V, V°, E, a,p, y), where 

- X 1 is a finite set of real-valued variables which belongs to H; X s is a finite set of 
real-valued variables which don't belong to H, but can be read by H in certain 
position; X 1 nF = 

- X 1 is a finite set of local event labels which belongs to H only; X s is a finite set of 
event labels which belongs to several HArv; X 1 C\X S = 

- V is a finite set of locations; V° C V is a set of initial locations. 

- E is a transition relation whose elements are of the form (v, cr, <f>, if/, v'), where v, v' 
are in V, cr e E 1 U X s is a label, <f> is a set of transition guards of the form f(y) < a, 
and if/ is a set of reset actions of the form x := f(y), where x e X 1 , a e R, and 

• if o- e X', y e X 1 ; 

• if cr e X s , ysX'u X s , if y e X s , we say cr is y related ; 

- a is a labeling function which maps each location in V to a location invariant which 
is a set of variable constraints of the form f(y) < a where y eX',a eR. 



- /3 is a labeling function which maps each location in V to a set of flow conditions 
which are of the form x = g(y) where x e X'. For any v e V, for any x e X', there 
is one and only one flow condition x = g(y) e /3{v), where x,y € X 1 . 

- y is a labeling function which maps each location in V° to a set of initial conditions 
which are of the form x - a where x e X and a e R. For any v 6 V°, for any 
x G X', there is at most one initial condition definition x = a e y(v). 

If each /(y) is a linear expression, and g(y) = [a,/?], where a, b e R, we say this 
HArv is a LHArv (linear hybrid automaton with readable outer variables). 

For a group of HArv, their composition CHArv is defined as a product HArv gen- 
erated by synchronizing all the components with respect to the shared labels. 

Definition 2. Let#i = (X I v X s v S[,S s v VuV^E u ai,/3 1 ,yi)andH 2 = (X l 2 ,X s 2 ,S l 2 ,S s 2 , V 2 
, V^, £2, Q-2,y02, ji) be two ffA sv s, where X[nX' 2 - 0, ij nlj = 0. The composition of 
#1 and Z/ 2 , denoted as #i||# 2 , is a ffA fiV JV = (X 1 , X s , S l , E s , V, V°, E, a,/3, y) where 

- X 1 = X\ U X'; X s = {Xf U X 2 S } \ {X'j U X 2 ); 
-I'^lju^U {2"j s n 2"*}; 27 = S{ U T 2 S ; 

_ v = Vi x y 2 ; v° = y° x y°; 

- a((vi,v 2 )) = ff(vi) U a(v 2 );y3((vi, v 2 )) = j8(vi) Uj6(v 2 ); y((vi,v 2 )) = y(vi) U y(v 2 ); 

- £ is defined as follows: 

- for a e Z^ 5 n 2^, for every (vi,a, 0i, ^1, Vj) in £1 and (v 2 , a, <^ 2 , t^ 2 , v' 2 ) in £ 2 , £ 
contains ((vi, v 2 ), a, 0i U(p 2 ,fi U ^ 2 , (v' p v 2 )); 

- for a e 2"J U {27[ \27 2 }, for every (v, a, 0, i/r, v') in £1 and every t in V 2 , £ contains 
(0, t),a,<t>,if/,(v',t)); 

- for a e Si U {27 2 r \2^ s }, for every (v, a, <f>, i/r, v') in £ 2 and every t in Vi, £ contains 
((r,v),a,^,(r,v')). 

For all m > 2, the composition of HArv H\ , Hz, ■ • ■ , denoted as //j ||i/ 2 || . . . \\H m , 
is a HArv which is defined recursively as i/i||// 2 || . . . \\H m = H\\\H' where H' = 
H 2 \\H 3 \\ . . . \\H m . 

Using the formal language defined above, we build a set of models of the system 
which includes nonlinear control functions as shown below. These models consist of 
two main parts: 

- n trains running on the track, the automaton for each train is shown in Figj2] A. 

- m RBC centers, the automaton for each RBC is shown in Figf2]B. 

From Figf2] we can see the behavior of the system consists of the following aspects: 

- Trains and RBCs communicate by two labels updateMA and syn. 

- After the global synchronization syn, an RBC will get the running parameters from 
the related train. Then the RBC will perform preprocess job before it starts to com- 
pute and assign the latest MA to the related trains. 

- After preprocessing, RBC will compute the new MA for the related trains using 
complex function k() and send them to the related trains by shared label updateMA. 

- When received the new MA, each train will compute the local velocity and SBD 
using control function /() and g(), and it will start to adjust the running velocity 
from current value [c,-, c'.] to the latest value range [«,-, n'X 



(A) (B) 
Fig. 2. Hybrid Automata For Tram Using CBTC and RBC Center RBCj 

- During the adjustment period, we abstract the velocity to the mean of the old and 
new value of the velocity range. 

- After the train Train/ is running under the new velocity range, it will keep checking 
the current position to make sure it has not move beyond the safe braking point. 

- Once the safe braking point is touched, the train will start to brake normally to try 
to stop completely before touching the end of the movement authority. 

- And if the train has safely operated for 5 seconds without receiving any commu- 
nication signal, the train will assume the communication channel is broken and an 
emergency braking will be executed immediately. 

- Once a train starts the procedure of braking, it must stop completely in less than 5 
seconds. 

Considering a system with dozens of subsystems, e.g., trains and RBCs, and with 
complex nonlinear functions /(), g(), k() included, it will be very difficult to verify prop- 
erties on the model, as widely reported in literature ||2T1 . Furthermore, many parameters 
used in functions /(),#() and k() are collected and generated online nondeterministi- 
cally, e.g., temporary speed limitation, wind speed, mass of the train and etc, even there 
is a method to verify the complex nonlinear function, as these critical parameters cannot 
be predicted ahead precisely, the offline verification of the system is still very difficult. 

3.2 Scenario Based Verification and Path-oriented Reachability Analysis 

For the verification of the control parameter calculations in CBTC systems, one of the 
problems which the designers concern most is when Train, starts to brake, whether it 
can stop completely before passing the EOA point or even collide with the ahead train 
under the generated parameters. This problem indicates an execution scenario of the 
behavior of each train in the system, from location compute to Ebraking, and a target 
property to verify: the physical position of Train, equals with the ahead one Trains . 



Scenario-Based Automata. As discussed in the last section, the verification of the 
given scenario-based property on the models given in Figf2]is very difficult. On the other 
hand, the control parameters generated by the control functions can induce a static con- 
trol model of the behavior of the CBTC system in the short future before the generation 
of the next set of parameters. 

Based on this idea, we simplify the models given in the last section. As the control 
parameters are already calculated and saved, e.g. ma Ci and sbd Ci for the movement au- 
thority and safe braking distance of Train,, the control functions can be dismissed in the 
new scenario-based model. The component RBCs can also be dismissed from the sys- 
tem, because the scenario-based automaton stands for the behavior of the system after 
the latest MA is already granted and before the next communication, during that period 
the train Train, doesn't have to communicate with any RBC. As a result, we build the 
scenario-based static running automata for Train, to a LHA RV as below in Figf3] 




This scenario on a single LHA RV Train/ is presented as an evolution of the system 
from locations to locations, e.g., (comp) — >{adjust) — ^{cruise) — > (E Brake) in the 

cv, op j EBrake 

automaton Train,. Using the same notion given in ifTTl . we name such a sequence of 

locations as a path. By assigning each location with an nonnegative real number, we can 

, . _ comp\ ladjust\ I cruise\ I EBrake\ 

get a timed sequence in the form of ( _ ) — >{ . ) — >( . ) — > ( . ). 

\Oo I cv, \0i I op, \02 J EBrake \Ol J 

This timed sequence represents a behavior of the model such that the system starts at lo- 
cation compute, stays there for do time units, then jumps to location ad just by transition 
cv/ and stays at adjust for 6\ time units, and so on. 

Let N = HxWiW ■ ■ ■ \\H m be a CLHA RV where H, = (X\, Xf, Z\, E?, V b Vf, E-„ a„B„ y,) 

(0o><Ao) OAii'Ai) 

(1 < i < m) is an LHA R y and p be a path in of the form p = (vo) — > (vi) — > 

— > (v„). It follows that v, - (v,i, vq, . . . , v, m ) (0 < i < n) where v,* 6 
Vu (1 < k < m). For any k (1 < k < m), we construct the sequence pk from p as 
follows: replace any v,- with v» (0 < i < n), and for any — > (v^) (1 < i < n), if 

o~i-l 

((*,</<) 

(Vi-it, <Tj-i,<f>, if/, Vik) e Ek, then replace it with — > (v,t), otherwise remove it. It follows 

o-i-i 

that pk is a path in Hk- We say that pk is the projection of p on Hk- Intuitively, pk is the 
execution trace of on Hk when runs along p. Thus, the complete scenario is a path 
set for the system, consisting of one path for each component. 



Reachability Specification. Now, let us look at the reachability specification: Dur- 
ing braking, Train/ collide with the ahead train 7>ai«,_i, which means the position of 
Train/ is the same with the ahead one Train^i in the location EBraking. This property 
can be formally translated as Train/.x = Train/-\.x in location EBraking. 

For an LHA R y H = (X,X S ,E,E S , V, V , E, a,B, y), a reachability specification, 
denoted as 9?(v, tp), consists of a location v in H and a set tp of variable constraints of 
the form a < cqxq + c\Xy + • ■ ■ + qjq < b where x-, e X U X s for any i (0 < i < I), a, b 
and c, (0 < i < 1) are real numbers. 

Definition 3. Let H = (X, E, V, V°, E, a,B, y) be an LHA RV , and <R(y, <p) be a reachabil- 

/ VO \ (0o><Ao) / Vl \ 

ity specification. A behavior of H of the form ( ) — > ( ) 

' ' \O0/ o-o \Ol/ 

satisfies Hiy, <p) iff v„ = v and each variable constraint in <^> is satisfied when the automa- 
ton has stayed in v„ for delay 5„, i.e. for each variable constraint a < coXq + C\X\ H h 

c/x/ < b in ip, a < co(„(xq) + c\( n (x\) + ■ • • + c m ( n (xi) < b where f„(JCt) (0 < k < I) rep- 
resents the value of x^ when the automaton has stayed at v„ for the delay 6„. H satisfies 
"R(v, <p) iff there is a behavior of H which satisfies 7?(v, tp). 

Definition 4. Let N = //1II//2II • ■ ■ \\H m beaCLHA RV , P = {p\,p2, . .. ,p m ] be a path set, 
where p, is a finite path in Hi (1 < i < m), and fiiy^ip) be a reachability specification. 
P satisfies Hiy, tp) if and only if there is a path p of N that the projection of p on //, is 
p; (1 < i < m), and there is a behavior of which satisfies fHy, <p). 




Path-Oriented Reachability Analysis. In this paragraph, we will show how to verify 
the reachability specification along with a path set in a CLHA RV system using linear 
programming efficiently. 

Generally speaking, the model checking problem for hybrid systems is very diffi- 
cult. Even for a single LHA, the reachability analysis problem is undecidable B1I2I31 . 
The performance of existing techniques for compositional analysis of LHA systems is 
even worse. The state-of-the-art tool HYTECH [4| and its improvement PHAVer Q 
need to compute the composition of the whole system into a unique global automaton 
then use expensive polyhedra computation for reachability analysis, which will suffer 
the problem of state explosion and greatly restrict the solvable problem size. 

To overcome this drawback, in study[ 1 1 1 we presented an efficient approach for 
the path-oriented reachability analysis of LHA compositions. This technique checks a 
group of paths at a time, one path for each LHA, all of the paths are transformed into 
a group of linear constraints automatically. Then, a few constraints about the system 
integration according to the synchronization events in each path will be added to ensure 
that the components cooperate correctly. It follows that the reachability problem along 
those specific paths can be reduced to a linear program. Using this method both the 
path length and the number of participant automata checked can be scaled up greatly 
to satisfy practical requirements. This approach of symbolic execution of paths can be 
used by design engineers to check critical paths, and thereby increases the faith in the 
system correctness. This path-oriented technique can be easily scaled to use in CLHA R y 
systems. We will use a simple example to illustrate our idea below. 





Reach J'rop. 



(A) (B) 

Fig. 4. Sample Automata And The Path-oriented Reachability Encoding 



For example, FigHfA) gives a simple system consisting of three subsystems: S , T, 
and K which synchronize with each other by shared labels b, e, and /. Each system has 
one variable, s for S , t for T, k for K. The flow conditions for each variable are unified 
as x € [0.9, 1.1] in all the locations. The values of data are transmitted along with some 
of the shared labels, for example in label e of T, the transition guard is s + t > k. The 
reachability specification is whether the property s + 2t - 3k — can be satisfied at the 
global location (55, ts, £5). 

In our path-oriented approach, for each of these three paths we generate a group of 
linear constraints that represents all the timed runs corresponding to the path. Take the 
path (t\) — > (£2) — > (h) — » (h) — » (£5) of the system T for example: 

- Use / ^ \ to indicate that the system has stayed in location f; for time delay 5, (non- 



where S' v 6' 2 , 5' v 6' 4 , 81 must satisfy all the time constraints 



negative variable). The behavior of the system is represented by 1 

■ "I / \"2/ 

k \ Its' 

enforced by the system, which forms a group of linear constraints. 

• For each location f,, two variables y,(f) and £,(f) are generated to represent the 
valuation of t when entering f,- and leaving f,- after stay there by time units. 

• Take the location f 3 for example, according to the flow condition, 1 . 1 6' 3 +73 (f ) > 
&{t) > 0.96' 3 + y 3 (f). 

• For the transition guard t < 5 on the local transition g, we have £t(?) < 5. 

• For the reset action t — 2 on the local transition d, we have 73(f) = 2. 
Synchronization constraints will be added to ensure that these three components 
cooperate accurately according to the synchronization events, which are illustrated 
by the dashed lines and S YN( event ) in FigHfB). 

• For the event b shared by S and T, we have 5\ — 8\ + 5 S T 

• For the transition constraints including outer variable reading, e.g., s + t > k in 
e, we have &(s) + £ 3 (t) > fr(k). 

• All the components have spent exact the same time, e.g., for S and T, we have 
5[+8 s 2 + S s 3 +S s 4 + 8 s 5 = 5\ + S' 2 + S< 3 + 8' A + 6' 5 . 

• For reachability specification s + 2t - 3k — 0, we get £5(5) + 2gs(t) - 3£s(k) = 0. 



Above all, the path-oriented reachability analysis problem is transformed to a feasi- 
bility problem of a set of linear constraints. It is well-known that the feasibility problem 
of linear constraints can be solved by linear programming (LP) technique efficiently. 
Utilizing LP solver, we can develop an efficient tool for path-oriented reachability anal- 
ysis of CLHArv where the length of the path, the size of each LHArv, and the number 
of components are all close to the practical problem scales. Thus, we can gain the ob- 
jective of fast verification of the existence of certain scenarios in the model of control 
parameter calculations in CBTC systems. 

4 Experimental Evaluation 

To demonstrate the modeling and verification techniques for control parameter calcula- 
tions in the CBTC system proposed in this paper and show the ability of fast verification 
of the path-oriented reachability method, we verify the train collision scenario given in 
the last section using the model built in Sec. 3. 

The scenario we selected to verify is if the communication channel fails during train 
operation, whether all the train can stop safely without collide with each other, and the 
corresponding scenario-based automata we built for each train is shown in Figf3] The 
model represents the path: {compute) — > {adjustment) — > {cruise) — > {E Braking) 

cvj op, EBrake 

for each train Train/ and the reachability specification is the positions of two nearby 
trains are equal with each other, for example train\.x - train^.x. Since the system is 
still under simulation and debugging, we use a group of traditional running values for 
the parameters in the model from our colleagues in the railway area. 

The experiments are conducted in an ongoing version of BACH II9I10I , which is a 
toolset for building LHA models and verifying the bounded reachability property of 
LHA systems, and can be downloaded from http://seg.nju.edu.cn/BACH/ On 
a DELL workstation (Intel Core2 Quad CPU 2.4GHz,4GB RAM), we evaluate the 
potential of the path-oriented reachability analysis method presented in this paper using 
the CBTC model shown in Fig|3] 

The experiment data is shown in TableQ] The largest problem BACH can solve in 
500 ms consists of 16 trains which is a very complex system and enough for a running 
urban railway system. According to the consultation to the engineers in the urban rail- 
way company, it is expected that the number of trains under operation on a normal track 
is around 15 to 20. Thus, the technique presented in this paper is applicable to be used 
in daily operation. The parameter we used in the model is proved to be safe by verifi- 
cation, which means certain path-oriented reachability specifications are not satisfied. 
Meanwhile, the runtime memory overhead of the computation, which is not listed in 
the table, is very small. 

The data in TableQ] gives a clear demonstration of the process ability of fast ver- 
ification of the bad scenario in the model for control parameter calculations. It also 
strengthens our belief that this technique can be used online during system is in opera- 
tion to guarantee the correctness of the important control parameters. As the linear pro- 
gramming solver underlying BACH is a free collection of Java classes for research [ 12 1, 
we believe if the linear programming package is replaced by an advanced commercial 
one, the performance will be even better. 



Table 1. Experimental Data on the CBTC System 



Path 


Train\ 


{compute) — >(ad juslmenl) — >(cruise) — > (EBraking) 

cvi opi EBrak 


Traini 


(compute) — >(ad justmenl) — >{cruise) — > (EBraking) 

ci'2 opi EBrak 






Train n _\ 


(compute) — > (adjustment) — > (cruise) — > (EBraking) 

cv n- 1 °Pn—\ EBrak 


Jrain n 


(compute) — ^adjustment) — *(cruise) — > (EBraking) 

cvn opn EBrak 


n 


Constraint 


Variable 


Time 


8 


1208 


96 


0.175s 


10 


1550 


120 


0.23s 


12 


1908 


144 


0.328s 


14 


2282 


168 


0.404s 


16 


2672 


192 


0.469s 



5 Related Work and Further Discussion 

5.1 Related Work 

The verification of the train control system has been intensively studied. Study! 17] gives 
a method to generate the high level requirements from a subset of the specification of 
a ETCS[5| system, and use method in[ 18 1 to verify the consistency between require- 
ments. These two works belong to the category of requirement engineering, which don't 
touch real time behaviors of the system. 

Study! 19 1 models the communication in train control systems with Live Sequence 
Chart (LSC), then validate the LSC by model checking and testing. Study|20| models 
the behavior of train control systems by timed state transition systems and verify the 
given property by bounded model checking and compositional reasoning. These studies 
all give high level models for behaviors of the system without considering the dynamic 
behavior of the movement of train. 

Study 1 16 1 models a fully parametric ETCS system using differential dynamic logic 
and verify the system by logical deductive verification. Study lfl5l builds different com- 
plex models for different layers of a ETCS system and verify these models using layer- 
specific technologies. These works build static model for the ETCS system without 
considering the system as a dynamic system which works in open environment. Thus, 
they only include rather limit parameters used in the control functions in the model. 

5.2 Verification of CPS Systems 

The new CPS computing paradigm brings new challenges and requirements to the 
research community, like how to guarantee the qualities of service, how to generate 
the formal models for the system and so on, which are proposed and summarized in 
many studies like 113114 1. The CBTC system is a typical CPS system which combines 
communication, computation and control tightly. From the experience we learned dur- 
ing verify the CBTC system, we think Control Parameter Calculations Verification 
could be an emerging topic in the verification of CPS systems. Furthermore, we sum- 
marize following subtopics we think is worth studying and paying attention to: 



- Modeling Language. CPS systems are running under dynamic environments. They 
receive signals from each other and the environment in a unpredictable way. How 
can the nondeterminism be modeled and verified? For CBTC systems, we choose to 
use linear hybrid automata as the modeling language and focus on the modeling of 
the ongoing static behavior of the system once the control parameters are generated. 
How about for general CPS system, do we need to introduce an new language? 

- Time Bounded Verification. Compared with classical verification which try to 
prove the correctness of the complete behavior of the system, the verification of 
CPS system focuses more on the correctness of the behavior in given time bound, 
e.g., will the train collide with the ahead one in 500 milliseconds in this paper. This 
is a new direction of Bounded Model Checking ll22l . where the term "bound" means 
time, rather than "steps" used in classical Bounded Model Checking. 

- Online and Fast Verification. As the control parameters of CPS system are chang- 
ing quickly, the verification module needs to give a quick answer of the correctness 
of the new generated set of parameters. We think it is necessary to investigate how 
to build fast and low-overhead online verification techniques for CPS systems. 



6 Conclusion 

In this paper, we introduce our experience in modeling and verifying the control param- 
eter calculations in a CBTC system which is a typical CPS system. Based on our study 
of this system, we propose our ideas of the requirements for modeling and verifying 
control parameters in a CBTC system. For modeling language, we think it should be a 
composed hybrid system with support of component communication and data transmis- 
sion. For verification technique, we insist the verification for CBTC systems should be 
online and fast verification of the ongoing behavior in the short future, and the problem 
needed to be verified is the existence of certain dangerous scenarios. 

To demonstrate our ideas, we introduce a notion Composed Linear Hybrid Au- 
tomata with Readable Shared Variables to model the behavior of the CBTC system 
induced by the control parameters. We also present a path-oriented reachability analysis 
method to achieve the objective of the online scenario-based verification. The experi- 
ment results support our belief a lot by showing the great process ability of fast solving 
of a system consists of 16 trains in less than 500 milliseconds which is the period of 
parameter generation in the CBTC system. 

Currently, with the help of our colleagues from railway areas, we are trying to im- 
plement this technique into a standalone device which can be integrated and deployed 
into the onboard ATP module as a part of the CBTC system to check the correctness of 
the velocity range given by ATP. Safety critical scenarios can be enumerated by CBTC 
engineers ahead, the model pattern corresponding to these scenarios can be designed 
in advance also. Then the device can catch the latest generated parameter set, build the 
related models using the pattern and verify them online. It is supposed to work as a 
runtime monitor/checker on the train under experimentation to guarantee the safety of 
the control parameters before the parameters are utilized. 
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